Forward the Chain on Istio EnvoyFilter x-forwarded-client-cert

wael_mashal · June 20, 2023, 11:49am

Anyone can help me, how we can write an Istio EnvoyFilter with mode:SIMPLE using that can add to headers the chain in x-forwarded-client-cert ? I can see the x-forwarded-client-cert with client cert but not the chain


      "x-forwarded-proto": "https",
      "x-request-id": "7fd003cb-baf0-4fcd-b2e6-708515850021",
      "x-forwarded-client-cert": "Hash=76d029c42d62b6d4e00e633cae70cfedd9e6ea05689292d9227393a657e1dbc3;Cert=\"-----BEGIN%20CERTIFICATE-----%0AMIIF1zCCA7%2BgAwIBAgIQFhFNeCm5MuCEeiG2PlAVMjANBgkqhkiG9w0BAQsFADB5%0AMQswCQYDVQQGEwJERTENMAsGA1UEBwwERVUxMDEPMA0GA1UECgwGU0FQIFNFMSMw%0AIQYDVQQLDBpTQVAgQ2xvdWQgUGxhdGZvcm0gQ2xpZW50czElMCMGA1UEAwwcU0FQ%0AIENsb3VkIFBsYXRmb3JtIENsaWVudCBDQTAeFw0yMjA4MDcwNzI1MDBaFw0yMzA4%0AMDcwODI1MDBaMIHQMQswCQYDVQQGEwJERTEPMA0GA1UEChMGU0FQIFNFMSMwIQYD%0AVQQLExpTQVAgQ2xvdWQgUGxhdGZvcm0gQ2xpZW50czEtMCsGA1UECxMkMjUyNWM4%0AYzctOWRjNi00NjFhLWJjM2ItMTlkNTJiNzE1YTM2MS0wKwYDVQQHEyQ1MGUzOThm%0AYy1hNDAzLTQ2MWQtYTIyOC1kOGEwOWRhZGFmYzYxLTArBgNVBAMTJDUwZTM5OGZj%0ALWE0MDMtNDYxZC1hMjI4LWQ4YTA5ZGFkYWZjNjCCASIwDQYJKoZIhvcNAQEBBQAD%0AggEPADCCAQoCggEBANl2mHqbQ%2B4SC2lw6rQ73cJajFljICpL1bGC39NM%2BlZvhi%2Fz%0AL2%2FDdSayFUab5fHCvF7A8VDOMbGh%2BsDLvQV5BC0dO97W0tOo21QLFUAS1ttv8YYH%0AcL2IbfPGYXfE4rP3O5xX0m8%2FT9mLudXxfbjZhxBz%2BOHLjplDAo3b6hhk6COh7BEh%0AKSRmzBCkrruvWOnYnJoAmprmwnP6%2BEsWE9HDk5xgnEa5MiGwRbut3Dd%2BsEzaNYff%0AZ9A%2BDlrFS8m2KDuNBY8AXt3aqrz3J0hhnUTGaZ11%2FHx1BmFgCht1bgSRylqI4HmP%0AfIve3ccVpDvNYDCCpYW%2BCdNeuqAaOIK9YWL4dGUCAwEAAaOCAQEwgf4wCQYDVR0T%0ABAIwADAfBgNVHSMEGDAWgBRNsO7sXVfhqDUo%2Fx%2BHfVKxn0UzZDAdBgNVHQ4EFgQU%0AlOuguNi%2BHX%2BdCgqAdoQ%2FwUtQGi8wDgYDVR0PAQH%2FBAQDAgWgMBMGA1UdJQQMMAoG%0ACCsGAQUFBwMCMIGLBgNVHR8EgYMwgYAwfqB8oHqGeGh0dHA6Ly9zYXAtY2xvdWQt%0AcGxhdGZvcm0tY2xpZW50LWNhLWV1MTAtY3Jscy5zMy5ldS1jZW50cmFsLTEuYW1h%0Aem9uYXdzLmNvbS9jcmwvOTJkNzUxODYtM2Y1Mi00NzMzLTg1MTAtZDZkNjJhNmMx%0AOTZmLmNybDANBgkqhkiG9w0BAQsFAAOCAgEAYztKM3cmoQhyoxLWSgoK3ag9iXCO%0AVZ73BxEFIAU4hp%2B1VkNrHSV6nx443GEoSx9Cu99TkU0PVaefNc1DyA4lSz%2FYL%2FlL%0AEl5a4JZ4agzoZr%2BeTVyoYHbBZvQ6UV4T2xfeKhMV1v%2BFG1AL7LNkelnqsIn25vLe%0AjtbswEDhlPTGy8OjNgL%2FOwKf67DLVZosXGUOcEbpP%2FGAGZnmbU%2B5kiO8dO6%2Feq8i%0AvVrODyKEtlsGy1D%2FqgUyVB48sNzqVV6inPQAZhtZqq5ReyX7UzkxfCR6wxOVHx6o%0Az8jV7GYVyG0L3aD4sAUJ%2F6IYD2MI7C3z79Am9AM809%2BnEBvUY%2B0Y22GfpyoSOfNW%0AkhGLvGVzb%2BPg0R%2B60fQg0RkmzHNKrMfYFSzB%2BPh6sDqDo6HZzrGbeYv7vgV%2FLbdR%0AjKLtakNrX5fZ0M%2F%2FLuhmzpDiZ3qenL5s2S9XhQ%2FhwQUNyCzG0E7v7x6eQOK7v8ZA%0AJny9DQPnaPHqXqssp3vYiFQt%2B38zgI7bevlkHD%2BU2%2BrlydIzIOAkqY%2BWwGTPaZFS%0ANC4PO6JasXMQIS1iTYLsNncw5dNUgJCPGclZ5I7r400CvfALOpDhQEu7NxA2ZV9N%0A5EQvZqusHDF0zSHpVlw7z1KL3KTShlr75zK%2FhRyYsi4Y8vcLG2Se0YqwpontspnL%0A0GeeMMkt9Dpn22w%3D%0A-----END%20CERTIFICATE-----%0A\";Subject=\"CN=50e398fc-a403-461d-a228-d8a09dadafc6,L=50e398fc-a403-461d-a228-d8a09dadafc6,OU=2525c8c7-9dc6-461a-bc3b-19d52b715a36,OU=SAP Cloud Platform Clients,O=SAP SE,C=DE\";URI=,By=spiffe://cluster.local/ns/resource-manager/sa/default;Hash=da4ccc5ea3b4f155b2130eb2ecb2cbabc878303215d0fdcbe168601d283fe72b;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
      "x-envoy-attempt-count": "1",
      "x-client-ssl-cn": "CN=50e398fc-a403-461d-a228-d8a09dadafc6,L=50e398fc-a403-461d-a228-d8a09dadafc6,OU=2525c8c7-9dc6-461a-bc3b-19d52b715a36,OU=SAP Cloud Platform Clients,O=SAP SE,C=DE",

I already have a working EnvoyFilter for the combined context that show me the header with client cert BUT I need something can add the Chain on the header ?

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: add-validation-context-to-simple-mode
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: FILTER_CHAIN
      match:
        context: GATEWAY
        listener:
          portNumber: 8443
      patch:
        operation: MERGE
        value:
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                combined_validation_context:
                  default_validation_context: {}
                  validation_context_sds_secret_config:
                    name: kubernetes://api-mtls-cacert
                    sds_config:
                      ads: {}
                      resource_api_version: V3

To add the Chain
I tried to config the IstioOperator with the following , but not help

spec:
  meshConfig:
    defaultConfig:
      gatewayTopology:
        forwardClientCertDetails: ALWAYS_FORWARD_ONLY

I tried the following EnvoyFilter but also not working

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: xfcc-forward
  namespace: xfcc
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          forward_client_cert_details: ALWAYS_FORWARD_ONLY
          set_current_client_cert_details:
            subject: true
            cert: true
            chain: true

wael_mashal · June 20, 2023, 3:11pm

Hi

A working sample here for this XFCC in the following link

github.com/istio/istio

ForwardClientCertDetails doesn't forward external client certificate

opened 02:35PM - 23 Jun 21 UTC

closed 01:13PM - 07 Jul 21 UTC

denisky

area/networking area/security

## Bug description We have a use case where we want to validate a client certif…icate from an external client in an internal service. We observed that a certificate is being added to the **x-forwarded-client-cert** header, but it is the certificate from the ingress gateway. Also the **cert** key is not present in the header. ### Mesh Configuration [Configuring X-Forwarded-Client-Cert Headers](https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/#configuring-x-forwarded-client-cert-headers) ```yaml meshConfig: rootNamespace: custom-istio-namespace enableTracing: false accessLogFile: /dev/stdout enableAutoMtls: true defaultConfig: gatewayTopology: numTrustedProxies: 2 forwardClientCertDetails: APPEND_FORWARD ``` **Note:** It was tested using **APPEND_FORWARD** and **ALWAYS_FORWARD_ONLY** ### EnvoyFilter - set_current_client_cert_details ```yaml apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: xffc-details namespace: custom-ingress-namespace spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: MERGE value: typed_config: "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" set_current_client_cert_details: subject: true cert: true chain: true dns: true uri: true ``` ### Affected product area [ ] Docs [ ] Installation [X] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [X ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure [ ] Upgrade ## Expected behavior Client certificate information should be present in **x-forwarded-client-cert** header. ## Version **istioctl version --remote** ``` client version: 1.10.1 control plane version: 1.10.1 data plane version: 1.10.1 (1 proxies) ``` **kubectl version --short** ``` Client Version: v1.21.1 Server Version: v1.20.6+k3s1 ``` **helm version --short** ``` v3.6.0+g7f2df64 ``` ## Environment OS: Ubuntu 20.04.2 LTS on Windows WSL2 Kubernetes: k3s

Topic		Replies	Views
Configuring EnvoyFilter for Forwarding Client Certs In Istio Networking security	1	1424	May 9, 2021
How can I set Envoy's `forward_client_cert_details` for sidecars as opposed to gateways Networking	1	1086	January 5, 2022
Helped needed creating Envoy-Filter Config	2	874	April 9, 2020
Istio Peer connection clarification Security	2	470	November 17, 2020
SSL passthrough does not work without intermediary chain Security	2	551	August 27, 2019

Forward the Chain on Istio EnvoyFilter x-forwarded-client-cert

Related topics